“When hackers breached companies like Dropbox and LinkedIn in recent years—stealing 71 million and 117 million passwords, respectively—they at least had the decency to exploit those stolen credentials in secret, or sell them for thousands of dollars on the dark web,” Andy Greenberg reports for Wired. “Now, it seems, someone has cobbled together those breached databases and many more into a gargantuan, unprecedented collection of 2.2 billion unique usernames and associated passwords and is freely distributing them on hacker forums and torrents, throwing out the private data of a significant fraction of humanity like last year’s phone book.”
“Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a patched-together set of breached databases Hunt said represented 773 million unique usernames and passwords,” Greenberg reports. “Now other researchers have obtained and analyzed an additional vast database called Collections #2–5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.”
“Most of the stolen data appears to come from previous thefts, like the breaches of Yahoo, LinkedIn, and Dropbox,” Greenberg reports. “Hasso Plattner Institute’s researchers found that 750 million of the credentials weren’t previously included in their database of leaked usernames and passwords, Info Leak Checker, and that 611 million of the credentials in Collections #2–5 weren’t included in the Collection #1 data. Hasso Plattner Institute researcher David Jaeger suggests that some parts of the collection may come from the automated hacking of smaller, obscure websites to steal their password databases, which means that a significant fraction of the passwords are being leaked for the first time.”
Read more in the full article – recommended – here.
MacDailyNews Take: You can check for your own username in the breach using Hasso Plattner Institute’s tool a t here.
If you find a breach, make sure you’ve changed that password.
As always, do not reuse passwords.
Keychain Access is Apple’s password management system in macOS. It was introduced with Mac OS 8.6, and has been included in all subsequent versions of Mac OS, including Mac OS X, OS X, and macOS. A macOS Keychain can contain various types of data: Passwords (for Websites, FTP servers, SSH accounts, network shares, wireless networks, groupware applications, encrypted disk images), private keys, certificates, and secure notes.
Your Mac’s Keychain Access application also has a built-in Password Assistant that can help you create good, strong passwords. To get to it, just launch KeyChain Access (found in Applications/Utilities), choose File>New Password Item and use the “Password” input box to design your passwords. To gain access to more options, you can click the button with the black key icon located next to the “Password” input box which will bring up the Password Assistant which can make passwords for you (“memorable, “letters and numbers,” etc.). Both options provide a colorful bar that goes from dark red (weak) to dark green (excellent) to indicate the Password Strength.
Make ’em strong and unique and manage/store them with Keychain Access which works across your Macs, iPads, iPhones, etc.
Hackers expose 773 million email addresses and 21 million passwords, check yours here – January 17, 2019